In an unprecedented move on April 24, the Reserve Bank of India (RBI) issued a stern directive to Kotak Mahindra Bank (KMB), halting the onboarding of new customers via its digital platforms and suspending the issuance of fresh credit cards. The bank, however, is permitted to continue servicing its existing clientele. This punitive measure by the RBI comes as a response to what has been identified as significant shortcomings in the bank’s IT infrastructure, an issue that has persisted over the course of its rapid growth.
Kotak Mahindra Bank’s CEO, Ashok Vaswani, has publicly acknowledged the ongoing discussions with the RBI, focusing on reaching compliance with the regulatory standards. Nevertheless, the RBI’s stringent oversight over the last two years—covering 2022 and 2023—has revealed “serious deficiencies and non-compliances” across several key domains, including IT inventory management, user access protocols, data security measures, and the robustness of business continuity and disaster recovery strategies. KMB’s failure to comprehensively and promptly rectify these concerns prompted the RBI to declare the bank non-compliant with its corrective actions plans (CAPs), an intervention framework designed to shore up the resilience of financial institutions under RBI’s purview.
The CAPs called for were largely met with inadequate or non-substantiated responses, leaving the RBI unconvinced of KMB’s commitment to establishing a sound IT and risk management framework. A consequence of these vulnerabilities was laid bare through the “frequent and significant outages” experienced by KMB’s online and mobile banking services over the past two years, the latest of which occurred on April 15. In response to customer complaints on social media platforms, KMB’s support acknowledged the “intermittent slowness” due to server issues. These ongoing difficulties will now be subjected to an external audit, sanctioned by the RBI, to evaluate the remedial measures enacted by the bank.
This is not a first for the RBI, which has been maintaining a watchful eye on the burgeoning digital banking sector. A parallel occurrence was witnessed in December 2020 when HDFC Bank was prohibited from introducing new digital offerings or soliciting new credit card customers. This ban was lifted only in March 2022, following the successful implementation of remedial actions. Similarly, the Bank of Baroda faced restrictions in October 2023 for its ‘bob World’ mobile app due to “material supervisory concerns.”
S&P Global Ratings suggests that this regulatory stance may impinge on KMB’s credit expansion and profitability, noting that credit cards are a high-margin segment that saw a 52% year-on-year growth as of December 31, contrasting with an overall loan growth of 19%. The agency, however, maintains that the RBI’s actions are unlikely to have a “material effect” on the bank’s ratings, given that credit cards constitute a mere 4% of the bank’s total loans. Despite the setback, the bank’s credit card operations and their plan to bolster this segment could face a delay, as Mr. Vaswani expressed concern over the “reputational impact” these events might entail.
With its latest quarterly net profit showing an 18% increase, and a solid 13% year-on-year growth in net interest income, KMB’s financials appeared resilient. Nevertheless, the CEO highlighted the bank’s commitment to tech resilience, citing investments into capacity and risk management amounting to roughly 10% of their operating expenses. This commitment has become more crucial as the bank’s brokerage partner, Motilal Oswal, predicts the RBI’s ban could derail the retail segment’s growth and potentially impact margins and profitability.
As KMB’s efforts have largely hinged on digital sourcing, the repercussions of these regulatory measures become more apparent. During HDFC’s analogous predicament, a loss in market share of credit card spending was observed—a scenario KMB might replicate. S&P estimates it might take a year for KMB to thoroughly address the RBI’s concerns, indicating that while the bank has made “significant progress” in technological improvements, the time needed for the implementation of changes and the subsequent external audit is considerable.
In summary, KMB’s situation underscores the RBI’s vigilant stance on ensuring the stability and security of the digital banking landscape, a clear message that financial entities must prioritize not only their growth but also the robustness of their technological infrastructure and compliance frameworks.
